During the past six months, the Carbon Black Threat Analysis Unit (TAU) analyzed more than 1,000 ransomware samples, categorizing them into 150 families, and found the following:

Attackers are looking to make quick, easy money with unsophisticated malware combined with sophisticated delivery methods. The majority of today’s ransomware aims to target the largest vulnerable population possible.

“Ransomware as a Service (RaaS)” and the emergence of Bitcoin have lowered the barrier to entry even further for attackers.

Some ransomware is beginning to implement non-malware tactics that leverage “trusted” native tools, such as Microsoft’s PowerShell. These tools can be used in the propagation of the ransomware as well as file encryption.

If global headlines in recent months are to be believed, ransomware’s increased ubiquity and sophistication have reached epidemic proportions. According to these reports, malware such as WannaCry and NotPetya have thrust ransomware into the public’s consciousness in an unprecedented fashion, while businesses around the globe scramble to keep up with the onslaught of attacks.

While it’s true that ransomware is more ubiquitous today than ever, a different reality exists when it comes to sophistication. According to a recent analysis of a large set of ransomware families by the Carbon Black TAU, the majority of today’s ransomware errs on the side of simplicity in an effort to target a mass set of victims as easily and quickly as possible. The net? Attackers are looking to make quick, easy money with unsophisticated malware, combined with sophisticated delivery methods.

To understand the world of ransomware, Carbon Black examined a sample set of more than 150 ransomware families. Our analysis reveals the majority of ransomware attacks are guided by simple economics and likely derive from unsophisticated actors who often leverage pre-existing do-it-yourself (DIY) attack kits purchased from the dark web.

Those who are striking out on their own also tend to use more basic programming languages, such as .NET, and reuse code from open-source projects and websites.

Episodic ransomware attacks, such as NotPetya, have made for splashy headlines, but reveal more about the general unpreparedness of worldwide businesses to handle these attacks than they do about a sophisticated evolution of ransomware. These attacks highlight that the industry at large is often failing to do infosec basics, such as patching.

Businesses appear to be focusing too greatly on next-generation threats while being unable to defend against the current era of basic malware. What’s more, the public attention to new threats distracts many organizations from the ability to tool their environments and train their staff to respond to basic attacks.

The level of effort needed to secure environments seems so daunting to many in leadership that an investment in response and recovery would appear to be a better investment. As ransomware grew in prevalence, many businesses accepted the risk of individual machines getting infected and losing localized data. These businesses implemented policies to quickly reimage the machine with its most recent backup and move on.

However, malware such as WannaCry and NotPetya have changed that equation by including worm functionality to spread across networks. Reimaging a single infected system was ineffective if the ransomware was able to quickly move across the network and infect additional systems. Businesses that had accepted the risk of handling few ransomware incidents now risked losing complete networks. This was seen in various British hospitals where operations were shut down completely while ransomware automatically spread itself across a widely vulnerable network.

However, just as NotPetya was incrementally more sophisticated compared to WannaCry, the Carbon Black TAU expects a rising-tide evolution of ransomware in the coming months as attackers attempt to further extort money from unprepared businesses and consumers.

While the defenses required to limit the spread and damage of ransomware could be easy to determine, their deployment across large organizations provide a challenge for many security teams. As ransomware becomes more sophisticated over time, such challenges only increase.

Security teams will have to implement better lines of defense to detect complex malware and adversaries using non-malware attacks to encrypt data. The development of more sophisticated malware isn’t then limited to single adversaries; Ransomware-as-a-Service (RaaS) operators can deploy a single, complex malware to hundreds of thousands of potential victims at a time.

A Deeper Look at Ransomware

For this research, the Carbon Black TAU analyzed more than 1,000 ransomware samples, categorizing them into more than 150 distinct families. Ransomware, like most other malware applications, can be grouped based upon its development characteristics; methods of injection; and unique techniques, tactics, and procedures (TTPs).

These attributes suggest that each group was designed by the same set of developers for the same purpose. Each family could be unique in the encryption routine it uses, the files it targets, the style of ransom note it provides, or even the method in which it collects its ransom.

Our research highlighted some interesting trends:

Most of ransomware samples we evaluated are designed to run in place. Without the need for installation or configuration, these samples will start encrypting data immediately after execution. This is in contrast to less frequently seen families that perform more elaborate installation methods before malicious activity starts.

Some ransomware families (for example Abpodul) leveraged non-malware tactics. Characterized by files that would not be detected as malicious by legacy antivirus, these threats leverage “trusted” native tools, such as Microsoft’s PowerShell, to delete Volume Shadow Copies and encrypt files. More prevalent malware even used PowerShell as a means to download and run the actual ransomware executable.

Ransomware code is less complex than many other forms of malware. A basic ransomware sample simply needs to traverse folders and encrypt files using standard Windows routines. There is very little coding involved to make ransomware, and much of that code can be sourced from other online projects.

Attackers are playing a numbers game to launch a mass set of attacks against the largest vulnerable population possible. “Ransomware as a Service’” (RaaS) and the emergence of Bitcoin have lowered the barrier to entry for attackers using ransomware. Bitcoin and ransomware are very clearly closely tied, with ransomware experiencing triple digit percentage growth since Bitcoin’s founding in 2009.

By using underground markets and the dark web, Ransomware-as-a-Service provides an adversary with no technical experience the ability to easily sponsor a ransomware campaign with available funds.

These “spray and pray” attacks often rely on spamming and phishing campaigns to guarantee a small percentage of infections to extort money. Similar to many spam campaigns, ransomware has been sent en masse to thousands of email addresses at a single organization, requiring just one person to execute the payload for a successful attack.

99% of ransomware attacks target Microsoft products given Microsoft’s large market share. Mac users were virtually untouched by the ransomware samples we researched. In fact, we found only a small handful of families targeting MacOS. One of those was destructive-ware due to it never sending the encryption key to any command and control server.

The majority of ransomware samples were written in English, a default language for Microsoft Windows products. We also came across samples written in French, German, Chinese, Japanese, and Russian.

The trend toward rudimentary ransomware speaks to the current state of cyber defense. On one hand, organizations with nascent (or non-existing) security programs have been unable to prevent even the most basic attacks. For more robust security teams, the focus on advanced, targeted attacks has potentially detracted from the routine “blocking and tackling” required to stop even attacks that have limited sophistication.

Traditional defenses are heavily skewed to detecting and blocking malicious files downloaded to a computer system. A reliance on this method distracts defenders from seemingly legitimate applications exhibiting malicious behavior. Many ransomware attacks are using existing tools on the machine, (e.g. PowerShell.)

File-based solutions that focus on static indicators of files such as file names, unique strings, and hashes, are missing ransomware attacks as they don’t have visibility into the “DNA” of an attack. Without tracking malicious behavior and intent, such defensive methods could be unable to accurately predict future attacks involving volatile code leveraging such tools as Javascript, PowerShell, Visual Basic, and Active Server Pages (ASP).